Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

From: Henrik Lund Kramshøj <hlk () kramse dk>
Date: Sun, 26 Jan 2003 14:14:33 +0100
On søndag, jan 26, 2003, at 06:52 Europe/Copenhagen, Schmehl, Paul L wrote: 


Cyberterrorism????  Getting a bit hyped up, aren't we?  It's just
another stupid worm.

No, I dont think so

Why do you consider it terrorism only when people are hurt directly?
In Denmark where I live and many other countries monetary damage is
being acted upon even more harsh than "just maiming/hurting" people
Note that I dont say this is right, but in many places the punishment for 
stealing somebodys property is harsher than if you hurt them physically
- especially if you're drunk, people get away with murder by car etc.

SO, the point is - was the damage caused big enough to consider this
terrorism? Close call, but I dont think so, since the payload was rather
non-malicious and the real effect was a side effect. Had it been 376 byte 
worm and 124 bytes HARMFULL code then I would consider this an
act of cyberterrorism
- even though the actual target in that case would be hard to predict.

we hear quotes like:
Starting 06:30 UTC ( 00:30 EST ) on Saturday Jan 25th 2003, worldwide traffic for port 1434 UDP increased rapidly causing major Internet links to fail. ISPs responded quickly by blocking port 1434. While traffic is still strong in some areas. It dropped to about 5% of peak globally.
Single ms-sql servers have been reported to generate traffic in excess of 50 MBit/sec. after being infected.
Keystone's Internet Health report is still reporting a link degradation: http://www1.internetpulse.net/ As a result of degraded links, root DNS servers and other resources have been unavailable at times. 

"This has effectively disabled 5 of the 13 root nameservers."
------------------
I would rate this quite serious, but thanks to the quick response from the network operators the people who should know this and update their servers in the future 
WONT learn
*sheeez* they already had the example of SQLsnake worm and Code Red, but STILL didnt do anything about this vuln, or even firewalled the port in the first place. 

Best regards

--
Henrik Lund Kramshøj
hlk@{kramse.dk|inet6.dk|sikkerhedsforum.dk|security6.org}
Please read email policy at http://www.kramse.dk/email

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: